August 1, 2025 • 45 mins
Submit any questions you would like answered on the podcast!
Schedule your free SPRS Roadmap Session and get a step-by-step plan to close gaps and stay defensible:
👉 https://cmmccomplianceguide.com/free-sprs-roadmap
Is CMMC just one of many hats you wear at your company? You’re not alone and you’re not out of luck.
In this episode of the CMMC Compliance Guide, we break down how overworked and under-resourced compliance leads can still make meaningful progress toward CMMC and NIST 800-171. Whether you're a part-time compliance officer, the IT guy, or the quality manager who just got handed CMMC, we’ll walk you through a phased, practical approach you can tackle in just a few hours a week.
From identifying CUI and building your data flow diagrams to implementing MFA, FIPS, and policy templates the right way—this is your guide to making CMMC doable without the burnout.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_02 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
SPEAKER_00 (00:04):
And I'm Brooke.
SPEAKER_02 (00:05):
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business on track.
(00:27):
Today's episode is for theoverwork under-resourced and
part-time compliance lead youknow who you are If CMMC is just
one of your many hats you'rewearing, we're going to walk you
through how to make realprogress anyway.
So Brooke, let's start with theobvious.
What makes CMMC so tough forsmall businesses?
I know that's a loaded question.
SPEAKER_00 (00:47):
Well, it is a loaded question.
And you hit on the biggest thingjust a minute ago when you said
many hats, because in a smallbusiness, you know, everybody
wears multiple hats.
You know, we're a small businessand I don't just get to do one
position.
You know, I do multiplepositions just like you do.
I think No, I don't.
I don't know what you're talkingabout.
(01:11):
I do a lot of things.
Let me step back.
The IT guy, because in a smallbusiness, you don't have an IT
manager.
You might call that person an ITmanager, but it's the overall
many hats IT guy.
(01:32):
And you give them another hat towear, and that's compliance.
And then it might be the qualityguy, or it might be– could be
the CEO or CFO, or it could besomebody else.
But it's somebody like that thatalready has a full plate that's–
trying to understand and thenimplement CMMC.
(01:55):
So it's a lot of work to do forone person.
And generally, if it's not theCEO that takes it under their
own wing, they say, here, weneed to be compliant because
we've got this contract and Ineed you to get us compliant.
And so You've got to understandand learn what all the CMMC
(02:16):
stuff is.
You've got to know all the NIST800-171 controls and all the
assessment objectives, how theylayer CMMC in on top of that,
and the whole nine yards.
You've got to know all that, andthen you've got to go implement
it and figure out how to fityour environment in.
So it is complicated, and thestakes are kind of high because
if you get it wrong, it couldmean a longer assessment, not
(02:42):
ready for an assessment, Allright.
So next
SPEAKER_02 (02:52):
question for you.
is where should someone start ifthey only have a few hours a
week for this?
SPEAKER_00 (02:57):
First of all, you need to start at reading through
the whole thing andunderstanding it, which is no
small feat, especially if you'restarting from ground zero.
But even if you think you knowthis stuff, going through and
actually understanding, actuallyreading some of the documents
that it's based on, You know,that's a lot to take in.
(03:19):
So you've got to understand itfirst.
Then you start with a gapsassessment.
You know, where are you at rightnow and where do you need to be?
Then you figure out where allyour CUI is.
Where is it in your system?
Could be where you want to– makeit be if you want to make an
enclave or something like that.
But you've got to figure outwhat CUI you have and where it
is right now.
Then you've got to figure outwhere it comes from and where it
(03:40):
goes.
That's a CUI data flow diagram.
So we download it out of thisportal.
We get it through email.
I hope not.
But anyway, we get it throughemail over here or whatever it
may be.
This is how it comes into us.
These are the systems of oursthat it goes into and it flows
through.
And then if we send it out, itgoes out this way.
(04:01):
So you need to have your CUIdata flow diagram understood.
You need to understand the wayit is and then it's very likely
it probably needs to change alittle bit or a lot.
So you can absolutely changethat, but you need to understand
that.
And then from there, it'sstarting with the controls and
(04:22):
doing the most obvious easystuff first, locking down user
accounts, locking down ACLs foraccess to information, making
sure that not everybody operatesas an admin, stuff like that.
Easy stuff that you can do andtackle.
Um, and you can do this in shortsprints and, uh, you know, as
(04:44):
long as you plan, you know, acouple hours a week, uh, now
it'll take a long time at acouple hours a week, but if you,
as long as you plan a couplehours a week or more, but set
aside time when you're notwearing one of your other hats
to wear this hat, you know, youcan, you can make progress on
that.
by doing these short sprints ofa couple hours or so each.
SPEAKER_02 (05:07):
Yeah, you said something a minute ago about
actually starting with reading.
Yes.
Did you say the 800-171, theNIST 800-171?
SPEAKER_00 (05:17):
Yes.
Revision two, not three.
Right.
It's not the current one.
Yes,
SPEAKER_02 (05:23):
for now.
For now, yeah.
So I went on a meeting the otherday with a prospective customer,
and it was– it's always– qualitymanager and typically the GM or
owner, especially at theseaerospace machine shops and
whatnot.
Anyway, and the reason I'mbringing it up is because it was
(05:46):
the first quality manager I'dmet that was rather learned, if
you will, up to speed oncompliance.
And he had mentioned that he hadspent probably the better part
of the past five years gettinglearned up on it.
Um, and, uh, anyway, so I'llbring that up to, to say that it
(06:07):
can be done.
Um, but, uh, if, if this is atask that's in your lap, I
wouldn't wait to start reading,um, that, um, enthralling
document that is, uh, uh, NIST800-171 revision two.
Um, cause it can be done.
You can get educated on it.
You can do it yourself, but, um,it does take some time.
(06:29):
Maybe not It doesn't have totake five years, but it takes
some time to digest it and thenstart applying it.
SPEAKER_00 (06:35):
It does take some time to digest it.
And there will be, if you're anIT guy or a quality manager and
you haven't been doingcompliance all these years,
right, then it's going to besomething that you have to
figure out and understand.
Surprise, surprise, noteverything is just laid out 100%
clearly.
(06:55):
in terms that everybodyunderstands.
You have to read through it.
You have to read some of thedocuments it's based on and all
that kind of fun stuff.
So it's helpful to get otherpeople's input, but you've got
to be careful.
Looking on Reddit, youdefinitely have to be careful
asking AI because AI will lie toyou.
SPEAKER_02 (07:14):
It'll be
SPEAKER_00 (07:15):
very confident about it too.
It'll be very confident andit'll seem very convincing but
AI will lie to you.
AI is good to use.
I'm not saying it's not.
AI is very useful but you haveto check it.
It's only as smart as everybodythat has posted knowledge about
it.
It can grab bad knowledge.
But be very careful about AI,about all these different social
(07:40):
media sites that you can go toand where there's CMMC groups.
They're a great way to get someinformation and kind of muddle
through some stuff.
But really, if you can ask somesee-through PAOs or some
assessors, some certified CMMCassessors or certified CMMC
professionals questions, that'swhere you can really start
(08:04):
trusting your answer.
So it takes a lot of reading, alot of discovery, and a lot of
figuring these things out.
And don't just take somebodyelse's word for it is what I'm
saying, especially AI.
SPEAKER_02 (08:15):
Yeah, basically what you're saying is there's no
substitute for just at the endof the day– looking at the
documents and then the documentsthat it is referring to, you
know, for definitions or whatelse to get your answer.
Um, you know, it's, uh, there'sno replacement for that.
You have to do that at the endof the day where they're talking
to an assessor or something, youknow, someone like us or Reddit
(08:37):
or something like that, youknow, and, and so a quick little
hack, um, that helps AI bebetter, but certainly not, um,
you know, uh, some, someone,something that trusts a hundred
percent, um, is if you uploadthe document and into the AI and
make it its reference manual.
So that way it's not pullingfrom a large model that it's
(09:00):
cobbled together.
Like you just, you give itessentially the model, the
document, and then you ask itquestions about the document.
You'll get more reliableanswers, but still that's not a
substitute for, you know,figuring out yourself or hiring
a professional to give youguidance because it'll still
make stuff up.
But it's a good way to kind ofcut your teeth and then use that
(09:24):
understanding to then dive inand then reference the document
yourself to verify, okay, whatis this actually saying?
So a good hack, but not asolution.
SPEAKER_00 (09:34):
Absolutely.
Absolutely.
And don't forget that this isnot just NIST 800-171R2.
Yeah.
It's also all the stuff forother, the DFARs rules the CMMC
stuff that they've layered ontop of it things that they've
clarified in those rules allthat kind of fun stuff so you
have to read those you have tounderstand those as well see how
ESPs are addressed for instanceyou know stuff like that
SPEAKER_02 (09:56):
absolutely there's a whole host of information
outside of just the 171 thatWe'll get you tripped up if you
don't look at it as well.
SPEAKER_00 (10:06):
Yeah, I'm an IT guy.
I say, give me the controls, letme look at them, and I can
implement them.
Give me this 800-171-R2, and Ican do it.
But then, oh, well, you've gotto reference this, or you've got
to reference that.
Oh, there's CMMC stuff overhere, too.
So it gets very complicated veryquickly.
So, you know, we were talkingabout this and how complicated
(10:27):
it is, and it is.
But the question was, you know,where does somebody start?
Mm-hmm.
That's really with...
knowing what CUI you have,knowing where it is and where it
comes from, doing a gapsassessment, and this can all be
part of the gaps assessment, butdoing a gaps assessment, drawing
(10:50):
out a network diagram, a CUIdata flow diagram, and
understanding your systems,where your CUI lives, and keep
in mind FCI as well.
And then after that, the nextpoint after that is
implementation, and you just getthe low hanging fruit so you can
feel some good winds you knowyou know Remove everybody from
(11:14):
the admins group, the localadmin or domain admins group, if
you have them there.
Lock down your ACLs on yourserver, for instance, and stuff
like that.
But do the low-hanging fruit onthe implementation.
So that's really it, is how youget started.
SPEAKER_02 (11:29):
Let's say that you've ran a GAP assessment.
Now you know where your COIlives.
You've got kind of a networkdiagram to define the scope and
the boundaries.
And you've done thoselow-hanging fruit items.
What would you do next?
SPEAKER_00 (11:42):
You know, one of the easy things to do is wherever
you touch CUI, you have to havemulti-factor authentication.
So the short answer is implementMFA for wherever you touch CUI.
So wherever you touch CUI, thathas to be implemented, whether
it's a privileged account orremote access or network access.
(12:06):
So Really, if it's notprivileged access and it's not
network and you only access CUIonly on one machine and it's
kept on that hard drive, I guesstechnically you don't
necessarily have to have MFA.
But that's almost never going tobe the case.
So wherever you touch CUI,implement MFA.
That's really a good one tostart on.
(12:27):
You can knock that out.
Make sure, you know, it's goodto have MFA anyway.
And, you know, we just had thistalk at one of our tech meetings
the other day is that, you know,having the token, the MFA
tokens, you know, on your phone,you know, that's great.
That's great.
less fishable, I guess, than anSMS password or an email code or
(12:56):
something like that.
But even that's getting more andmore fishable with token theft
and all that kind of fun stuff.
And I know I'm kind of goingdown a rabbit hole here, but if
you look at doing something likeUB Keys or pass keys or
something like that.
Windows Hello for Business hasto be implemented properly for
(13:17):
any...
But anyway, that one you have tomake sure you implement properly
for CMMC.
Those are stronger MFA methodsand less fishable, I should say.
And there's even attacks onthose to downgrade and all sorts
of other stuff.
If you go ahead and implementone of those less fishable MFA
methods, it is a little moreintensive, I guess, if you've
(13:42):
not done it before.
But I would go ahead and startthere so you don't have to go
back and change things later on.
But as far as CMMC goes, MFA.
however you get it implemented,and do MFA.
So that would be a really bigone, reasonably easy to get
started on after you get thelow-hanging fruit, I should say.
(14:04):
Another one is FIPS-validatedcryptography for CUI.
FIPS-validated cryptography forCUI is required for any CUI
that's at rest, in transit, orprocessed.
So Processed, stored, ortransmitted CUI.
(14:26):
We shorten that to PST, right?
Anyway, so any of the PSTmethods for CUI, then you have
to have FIPS cryptography.
So in other words, if you have aWindows server, you have CUI on
it, you have to turn on FIPSmode and...
(14:51):
Red alert here, you know, onlyserver 2019 and 2016 have a
FIPS-validated cryptographyready to go.
None of the other newer modelsdo.
They're in the process, butthey're not ready.
Windows 10 and 11, there are nocurrently supported versions
(15:13):
that have a full FIPS-validatedcryptography stack that you can
use to implement for Windows 10or 11, so...
Good luck.
They do make some exceptions forthat.
But implement FIPS-validatedcryptography everywhere you can.
(15:33):
Servers, your firewall, if youVPN in.
Now, the CUI needs to beprotected once with
FIPS-validated cryptography.
So if it's already encrypted...
you don't have to worry aboutencrypting it again.
Or you don't have to worry aboutFIPS validated encryption again.
(15:56):
So if you VPN in, but you'reonly communicating over SMB, for
instance, then as long as it'sturned on, you're good.
But if you're doing anythingthat might be less than FIPS
validated cryptography throughthat VPN tunnel, turn on FIPS
mode for that firewall.
Or at least for the VPN, butmost firewalls you'd Well, I
(16:21):
don't know about that.
But a lot of firewalls, you turnon FIPS mode, and you either
turn it on, and it turns off allthe stuff that's not FIPS, or
you have to go meet all therequirements, and then you can
turn it on.
I know SonicWall just changedfrom one method to the other.
But you have to turn that on.
(16:41):
And really, to tell you thetruth, it's just safer just to
go ahead and turn on FIPS modeon the firewall.
It's easy.
There's not that much impact.
There is some, but it's all goodstuff.
So turn on that FIPS mode forthe firewall is a good thing
too.
Any cloud services for COIshould be FedRAMP authorized or
(17:06):
equivalent.
And if they are, then they'llhave FIPS mode.
But if they're equivalent, youneed to make sure that you've
looked at all the documentationand it actually is.
in FIPS mode, that they useFIPS-validated cryptography.
So FIPS cryptography is anotherthing.
Set up your audit logs formonitoring.
(17:26):
You define the monitoring.
You define the categories, butyou need to be able to research
and find issues.
So...
But your audit logs for whereveryou touch CUI and wherever it
travels.
It's going to be your firewalls.
It's going to be possibly yourAPs and network equipment,
(17:47):
possibly your servers, stufflike that.
So turn on all those audit logs.
The next thing is all those logshave to be reviewed.
So you can go review those logs.
And that's– Fine-ish, but reallyto do it properly, you should
have at least a SIM, if not aSOC helping you, but at least a
(18:10):
SIM gathering all those in oneplace because those logs have to
be protected.
SPEAKER_02 (18:16):
Not required, but if you're a small team, it's a heck
of a lot easier to go buy aproduct that does a lot of the
SPEAKER_00 (18:23):
things for you.
It doesn't tell you you have tohave a SIM, but the things it
tells you you have to do withthe logs– A SEM does all that
and makes it easy for you.
The next thing is your incidentresponse plan.
And you have to build out a goodincident response plan.
I saw this question come up justthe other day.
(18:44):
How many of you IT guys haveincident response plans?
What do we know to do in thiscase or that case?
That's not an incident responseplan.
Not everybody will do the samething.
But You have to have thatresponse plan.
It has to be built out.
The first time you build thatout, it's going to be a booger.
It's going to be tough to gothrough and build out that
(19:06):
thing.
But you're supposed to also testit.
So if you test it, for instance,annually, you go through and
test it, I guarantee you, you'regoing to find things you have to
change.
But that's the point of testingit, you know, is to find these
problems in it.
And things are going to changefrom time to time, so you're
going to need to update yourincident response plan.
(19:26):
But once you get it built out,adding on to it, updating it,
all that stuff is not nearly ashard as building it out the
first time.
It may be involved, but notnearly as much.
So those are some of thehigh-priority things that make a
big difference.
And I would say those areprobably good things to do next.
SPEAKER_02 (19:44):
How do you handle all the documentation?
Because you can't go too far inthe implementation without
starting on the paperwork.
SPEAKER_00 (19:51):
Well, there's a lot of the controls and assessment
objectives are documentationrelated.
Mm-hmm.
you know, it's less than 50%technical.
Using templates is a good thing.
So if you find some templates,you can use those.
It's always better to...
(20:13):
With scripts, I always tellpeople, you know, I never write
a script myself.
I always find one that doesmostly what I want and then I
bastardize it and make it myown.
Or it's like a recipe.
You know, you take somebodyelse's recipe and you say, I
don't like this and this.
I'm going to change this up.
And so now it's mine.
Right.
And so then you can take creditfor that recipe, too.
(20:34):
So really, documentation ishugely important in this.
For procedures, your supposed tofollow, policies you're supposed
to follow, but also for provingthat you're doing things.
It's good to start off with atemplate if you can get one,
either find one and download it.
The ones that you can downloadfor free or so-so, there are
(20:56):
good ones that you can buy.
But either way you go, you'regoing to have to customize that
template.
that policy, for instance,you're going to have to
customize that quite a bit.
I've been saying this a lot, butlook at the assessment
objectives, fulfill thoseassessment objectives and you
won't have, and that takes careof the control, right?
(21:19):
Um, so once you take care of allthose objectives, uh, makes it
much easier.
Some of them, uh, you know,like, um, 3.1.1, it has six
different things, and they dothis for processes, do this for
people, do this for devices.
Well, if your policy addressespeople, devices, and processes
(21:44):
and says what you have to dowith those, that you have to
have authorized and you have toconfigure them right and
everything.
So if you have– you can– Put allthose together in one policy and
make it sound a lot better thandividing them all up.
This is what we do forprocesses.
This is what we do for people.
(22:04):
So you can combine those or someparts of those.
Point, though, is that you dohave to customize those for how
you do things.
The SSP...
you can use an SSP templatepretty easily and then put in
what you do.
The SSP, your system securityplan, is going to be kind of at
(22:28):
a high level what you do tofulfill those controls and
assessment objectives.
The policies are going to getdown to the nitty gritty.
So the SSP, you can take thattemplate and you can just stick
in high level what you do onthese things, get that taken
care of, and then Then you canrefer to your policies.
(22:52):
Your policies, you write out.
in-depth, this is how we takecare of this.
And you can certainly start witha template.
We start with a template, butthey're heavily modified for
that particular client.
This is how we do it.
In this instance, noteverybody's the same, believe it
or not.
I know there's a lot of vendorsout there who say, buy this
(23:13):
solution here, put it in place,and you have your enclave, and
you're good.
Here's some documentation, andyou're good to go.
That box doesn't perfectly fit alot of people.
So once you break that box alittle bit, guess what?
You've just brought more thingsinto scope.
(23:34):
The
SPEAKER_02 (23:36):
truth really comes out in the wash, and the wash is
the assessment.
Because then the assessor startsasking questions, and you
realize it's a perfect little–silver bullet solution you
bought is suddenly not a silverbullet solution anymore.
SPEAKER_00 (23:50):
Right.
Absolutely.
And you know, uh, most of thedib is, is made up of, uh,
manufacturers.
And so they have machines on thefloor that have computers that
control them and CNC machinesand, and whatnot.
And, uh, you know, so how do youget that CUI from your
environment to that machine?
(24:10):
Uh, It can be a host ofdifferent ways, but you have to
fulfill those controls andassessment objectives and do it
properly.
So my point is that templatesand box solutions are great.
But most likely you're going tohave to customize those.
(24:31):
You will have to customize thepolicies.
And most likely, unless yourbusiness just happens to fit in
a box, then you're going to haveto customize that solution some
too or make that solution fit aportion of your business, for
instance.
Yeah.
I guess I'm saying kind of thesame thing in a different way.
But– Yes, you can absolutelystart with templates, but they
(24:54):
will be heavily modified.
If you don't heavily modifythem, then they're just not
going to fit and not going to bedefined enough for an assessor.
SPEAKER_02 (25:02):
Yeah.
It's real hard to buy complianceoff the shelf.
You can certainly throw a lot ofmoney at the problem and it
makes it a lot easier, but youcan't just buy it off the shelf.
It doesn't work that way.
SPEAKER_00 (25:14):
Right.
And I will say just what I saidjust a minute ago, you can buy
it off the shelf, but you'llhave to customize it.
I don't know about all of them.
Some of the ones I've seen thathave been purchased have been a
pretty good set of policies andplans and procedures, and it's
not just SSPM policies.
(25:34):
You're going to have somepolicies.
You're going to have your SSP,and you're going to have some
policies.
You're going to have some plansand procedures.
You're also going to have lists.
There's a lot.
But the good sets include allthat stuff to where you can
customize it for yourself.
They help you– a list will helpyou.
(25:56):
Oh, I've got to include allthese columns.
That makes sense.
Where otherwise, if you'recreating your own list, you
might accidentally leavesomething out that is key to
understanding.
And this whole thing is alsoabout the assessor understanding
what you're doing and feelingcomfortable with what you're
doing.
Because if it's not clear,they're going to ask a lot of
(26:19):
questions.
They're going to do a lot oftesting.
All that kind of fun stuff.
And Which is fine, but thatleads to a lot more work.
It also leads to discoveringsomething.
Ooh, I left this out.
That's good if they discoverthat, but you should have
already discovered it.
And hopefully you'll discoverthat when you're trying to flesh
(26:40):
out your documentation.
SPEAKER_02 (26:41):
Let's talk about time savers.
What helps most when you're notfull time on this?
SPEAKER_00 (26:46):
So there are some tools or some things that can
help out that are time savers.
So an automated collection,evidence collection tool, you
know, an easy one to think of isyour SIM.
It gathers your logs.
There are also other tools outthere that vendors sell that
will help you gather thatinformation from different
(27:11):
systems.
Then you also have yourcontinuous monitoring that you
have to do.
Continuous monitoring may befrom an RMM or something like
that or monitoring andmanagement tool or something
else or related, and so thatalso gathers evidence
(27:31):
automatically for you.
So those kind of things are atime saver for you where you
don't have to go fill things outmanually, go search for things,
go run reports and export stuff.
If you can have that stuff readyto go, and I guess maybe you
might have to export it fromwhatever tool and put it into a
(27:52):
GRC that you have, for instance,or wherever your documentation
archive is at.
Speaking of that, another thingwould be centralized
documentation.
So it's perfectly fine to have abunch of Word docs and
spreadsheets in one place whereyou keep everything located at
(28:14):
and maybe have version numbersor whatever you want to do on
that.
It's perfectly fine to do that.
But that is a bit of a bear tomanage when you're trying to
manage, you know, 20, 30, 40, 50documents.
And did somebody take one andupdate it and forget to put it
back or whatever?
(28:37):
So if you're the only one doingit and you're managing all that,
then I guess maybe it's not thathard.
But it's still a lot ofdocuments to keep track of.
If you have a GRC tool to storeeverything in, That is your
centralized documentationplatform.
That is most of those GRC tools.
A lot of them that have CMMC inmind, not just a...
(29:03):
an afterthought, but, you know,are built for CMMC.
A lot of those will help youcalculate your SPRS score.
They can output a SSP for you.
You can put your policies rightin there.
They can live as live documentsand change them and
automatically have versionnumbers, histories, and all that
kind of fun stuff.
(29:23):
What's changed?
You can assign responsibilities.
So a centralized documentstorage platform, which is I'll
just say a GRC tool, GovernanceRisk and Compliance tool.
So a GRC tool.
The one that we use, and I talkabout this all the time, but
(29:45):
it's because I really like them,is FutureFeed.
We love FutureFeed for CMMC.
They've done a wonderful jobwith it.
They've built it out very well.
They continue to build it out.
It's a very good platform.
So go talk to Mark Berman, ChaseBerman.
They're good folks over there.
But If you don't use FutureFeed,use some sort of GRC tool.
(30:05):
It really does help a lot.
I know it helps us stay in syncwith our clients.
We're both looking at the samedocumentation and the same spot.
It really helps out a bunch.
UNKNOWN (30:19):
Mm-hmm.
SPEAKER_00 (30:20):
Monthly review meetings help out, especially
when you have a team or clientsor whatever.
Monthly review meetings or moreoften while you're implementing
things.
But these are– scheduledmeetings are very important
while you're ongoing andimplementing this.
(30:41):
But they're also important forsome of your documentation as
well because you have to havecertain– meetings and updates
every so often, and thesemeetings help fulfill that.
But have scheduled meetings tohelp you go through things, make
sure things are updated, makesure you're reviewing risk,
(31:03):
reviewing security, all that funstuff.
Those really help out a lot.
If you have a little bit largerteam, or if you have any team,
but you can assignresponsibilities to HR is in
charge of training, and IT is incharge of implementing technical
(31:24):
controls, and whatevercompliance team or whoever that
may be is in charge of thedocumentation.
But if you can split out thoseroles and assign people– which
you can do with the GRCplatform, by the way, or most of
the good ones you can.
So that's a really good thing todo.
(31:47):
And the other thing is don'tforget that you can outsource
specific pieces or the wholething or anywhere in between.
to help you out and help you getthis done.
SPEAKER_02 (31:58):
All right, let's land the plane here.
If you only have a few hours aweek to work on CMMC, what are
some practical tips that can getyou some steady progress, kind
of wrapping up?
SPEAKER_00 (32:08):
Sure, sure.
And if you only have a very fewhours a week, then God bless
you.
Good luck.
But it can be done.
But it won't be done overnight.
Even if you have all the peoplein the world, it still will not
be done overnight, just so youknow.
If you block...
(32:29):
Block a couple hours a week atthe very least.
Set that, just like we weretalking about earlier, set that
aside.
Make that scheduled time thatyou take all your other hats
off.
You put them off to the side.
You put them out of view.
You don't want your other hatsto be in view.
You take off all your otherhats, and you wear only your
CMMC hat.
(32:49):
And you step through the phasesof stuff that we talked about
earlier, which we'll probablyhit on here in a second.
SPEAKER_02 (32:56):
So work from home or lock the door so
SPEAKER_00 (32:58):
no one comes in your office.
Work from home or lock the door.
Ignore the phone.
Unplug the phone.
I don't know.
But block off at least a couplehours a week, if not more, to
work on just this to get itdone.
So that's one of the firstthings you do.
You need to set time aside to dojust this, to where you focus on
just this.
(33:19):
It's very hard to get this stuffdone if you're doing other
things and you have to get yourmind wrapped back up and, you
know, I've got to go unlock auser account and now I can come
back and where was I with theCMMC stuff?
So it's hard to get pulled awayto do other things.
So set aside some time, justlike you're in a client meeting
(33:39):
or whatever, Whatever it may be,you can't be bothered while you
do this stuff.
It's very important to stayfocused and get this stuff done,
especially if you don't havemuch time available to do it.
Breaking your work into phasesand writing those phases out and
(34:00):
understanding what goes in eachphase and not getting everything
all jumbled together.
So you need to figure out whattype of CUI you have.
You need to figure out where itlives and where it goes.
So process, transmitted, andstored.
(34:21):
So you need to figure out whereit goes.
I would draw that out so youunderstand it.
And you see that visually.
And then do a gaps assessmentand figure out where you're at,
where you need to be.
And then after that, the otherphases are things that we talked
(34:42):
about a while ago, is to do allyour low– the next phase would
be your implementation.
So break your implementationdown into sub-phases as well.
They're going to be knock outall your low-hanging fruit.
Take people out of the adminsgroup, my God, please.
(35:02):
Yeah.
Lock down your ACLs on yourserver.
Make use of groups so that it'seasier to do.
All the low-hanging fruit thatyou can get done that you should
probably be doing anyway, getthose done.
Then go for your big-ticketitems that make a lot of
(35:23):
difference.
Implement MFA, implement FIPS.
stuff like that, make sure thatyou have that going.
And then make sure that you haveyour documentation spelled out.
You can start off with your SSPand say, this is how we do
things at a high level.
And you can go back and changethat anytime you need to.
(35:45):
As you go through some of thisstuff and figure out how you're
going to implement this, you'llhave a POAM, a plan of action
and milestones from yourassessment.
You can break that down into,and this is something I didn't
mention a while ago, but you Youcan take that POAM and say,
here's all these assessmentobjectives, all these controls
that need to be addressed thatare not done.
(36:06):
And that's what your POAM is.
And you can take those, groupthem together, and say, I can do
these 10 items with thisproject.
I can do these 20 items withthis project.
I can do these two things bydoing this small project.
Whatever it is, break it downinto projects.
(36:26):
Then you can also, from there,figure out what projects are
just going to be just your laborand buckling it down and getting
it done in that two hours a weekyou have.
Or how much it's going to cost.
Am I going to need a...
a new server?
Am I going to need a new enclavefor a new server for an enclave?
Maybe, uh, are we going to needto buy this product or that
(36:47):
product?
Are we going to, you know, whatdo we need to do to fulfill
these?
And you can, uh, figure out theeffort involved and the cost
involved with your, with yourpoem and making projects out of
that.
Um, so that's a very importantpart.
And that helps you with yourimplementation, uh, breaking
your implementation down intophases as well.
Uh, so, um, it's a veryimportant that poem, uh, is very
(37:13):
important to use to makeprojects out of.
And I'll go back to GRCplatforms.
The good GRC platforms will helpyou with the POAM.
You'll have your POAM, youritems that you need to address.
Then you can also make projectsout of those within your GRC
software and assign projects Youknow, criticality, effort
(37:35):
involved, cost involved.
You know, you can assign allthat.
You can assign people to dothem, the whole nine yards.
So the GRC platform can helpwith a lot of this stuff.
But that POAM is very importantduring implementation because it
is for implementation.
But you can use that, as I said,to make projects out of it.
For your policies andeverything, you can, like we
(38:00):
said, Use a template approach.
Be very careful with free ones.
Always make sure they're up todate with the latest controls
and assessment objectives.
and CMMC, all the stuff thatCMMC requires.
But you can use templates.
Just make sure they're goodtemplates.
(38:20):
And I will tell you that theones you can go purchase from
some of the good C3PAOs andother vendors, most of those
templates are going to be betterthan the free ones you can find.
But you can find decent freeones, I'm sure.
So we don't use templates.
we use ones that we developedover time and changed a lot over
(38:41):
time.
We started, we started in thisback in 2017.
So I could tell you that ourpolicies that we developed back
in 2017 are not this.
Well, I guess they're the samepolicies that we had back in
2017, but they don't look thesame at all.
So, um, they were more simpleand more, however view back
(39:01):
then.
And now they're a lot moredetailed.
So, um, But that's the pointwith buying good documentation
versus something free you canfind on the Internet.
So template approach is justfine.
Just make sure you customize itfor your use.
Because even if another widgetmanufacturer that makes–
(39:27):
aerospace manufacturer thatmakes the same sort of widgets
you do with the same sort ofmachines– They're going to have
a different workflow, mostlikely, than you do.
Maybe a lot the same, but it'snot going to be exactly the
same.
And so their policies are goingto look a little different than
yours, for instance.
So the point is you have tocustomize those policies.
(39:50):
If you have more than one personworking on it, and hopefully you
do, then you can assignresponsibilities.
Even if you don't have more thanone person working on it and you
have an HR person, for instance,you can say, hey, our training
platform that we have, you makeeverybody take this little
five-minute cybersecuritytraining.
(40:11):
I need to add these things on itto cover CMMC.
And most training platforms willhave that, or you can upload or
create some custom content forthose training platforms to use,
or you can develop your owntraining program too.
That's always okay.
But any of those you can assignto somebody else.
That's always a good thing todo.
(40:33):
Again, tracking your progressvisually, whether– and I'll go
back to– GRC platform.
GRC platform will do this aswell.
But if you have one document, ormaybe even more than one, but if
you have one document where youcan track your progress in a
spreadsheet on all thesedifferent controls, and there
(40:57):
are lots of templates that willhelp you do this for
spreadsheets, but track yourprogress visually.
all-in-one where it's easy tosee, that will help you go
through this and not beoverwhelmed.
There's lots of them that willhelp you track your progress,
but they're complicated to use,and those just help to blow your
(41:17):
mind up.
One of the other things is, evenif you are the only one doing
this and you wear four or fiveother hats and now you're in
charge of compliance, then youknow, a good thing to do is, is
outsource, you know, outsourcekey pieces that you need, you
(41:37):
know, outsource, uh, you know,your SSP, uh, and policy and
documentation creation, uh, youknow, whatever it is, outsource
something to help you out.
And that also helps you notonly, uh, will help you get it
done faster, but it helps youwith good advice.
You know, you get some goodadvice.
Now, um, Preferably, you wantsomebody with at least an RPO,
(42:06):
preferably maybe a CCP or CCA onstaff.
CCAs I know can help out withthis.
I would imagine most of them aregoing to be– there's going to be
a good deal that are tied up inassessments and won't have time
for a small– a small engagement.
So, uh, but, um, folks that havethose, uh, companies that have
(42:28):
those folks on staff and doimplementation, uh, then it's,
that's a good way to get goodadvice is to, uh, engage some of
those, uh, some of thoseimplementers to help you out.
Uh, and then the only otherthing to remember while you're
trying to get this done is thatthis isn't a one and done thing.
And if you look at the, if youlook at NIST 800-171 and CBMC,
(42:51):
it's not, uh, You know, theydon't say implement this and
then you're good.
They say implement this andmanage it.
So it's ongoing management.
It's ongoing monitoring.
Be updating your documentation.
I can tell you your incidentresponse plan is going to be one
of those things that every timeyou test that incident response
(43:13):
plan, you're going to go, eh, wedidn't think about this.
You should not test the exactsame scenario every single time
because Or maybe you did sopoorly on the first one that you
do want to test it again.
But you should test differentscenarios.
And you should find things inyour IRP that...
that you need to address.
(43:34):
In that policy or the plan orprocedures that you need to
address, you need to shore upand make better.
So it is an ongoing thing.
Don't forget that.
So once you get it done, you'rein management, monitoring, and
maintenance mode.
SPEAKER_02 (43:49):
And if this all seems too complicated or you
don't want to do it yourself, weare offering a free roadmap to
an SPRS 110 score.
So SPRS is your self-assessmentof basically the 110 controls,
right?
And so what this session is, isjust kind of sitting down with
us for 90 minutes, myself andBrooke, and then we'll just kind
(44:12):
of walk through where you're atfor compliance right now, where
you need to be, what the gapsare, more or less, and then kind
of jotting out a personalizedroadmap for you to see how you
could get to 110, and that's allfree.
So that hour and a half session,is what we offer just kind of as
(44:33):
a get-to-know-us offer there.
So you'll understand where youcurrently stand, what gaps you
have that could cost thecontracts, and then get that
personalized roadmap.
Absolutely.
That should be in thedescription down below if you
want to take advantage of that.
If not...
Keep coming back and we'll keepgiving away the secrets for free
(44:54):
here on the show.
Thank you everyone for joiningus today.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions.
Also, you can comment questionsas well.
We'll answer them for free hereon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
(45:16):
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
And make sure to subscribe.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Austin.
SPEAKER_00 (00:04):
And I'm Brooke.
SPEAKER_02 (00:05):
From Justice IT Consulting.
We're here to help businesseslike yours navigate CMMC and
NIST 800-171 compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business on track.
(00:27):
Today's episode is for theoverwork under-resourced and
part-time compliance lead youknow who you are If CMMC is just
one of your many hats you'rewearing, we're going to walk you
through how to make realprogress anyway.
So Brooke, let's start with theobvious.
What makes CMMC so tough forsmall businesses?
I know that's a loaded question.
SPEAKER_00 (00:47):
Well, it is a loaded question.
And you hit on the biggest thingjust a minute ago when you said
many hats, because in a smallbusiness, you know, everybody
wears multiple hats.
You know, we're a small businessand I don't just get to do one
position.
You know, I do multiplepositions just like you do.
I think No, I don't.
I don't know what you're talkingabout.
(01:11):
I do a lot of things.
Let me step back.
The IT guy, because in a smallbusiness, you don't have an IT
manager.
You might call that person an ITmanager, but it's the overall
many hats IT guy.
(01:32):
And you give them another hat towear, and that's compliance.
And then it might be the qualityguy, or it might be– could be
the CEO or CFO, or it could besomebody else.
But it's somebody like that thatalready has a full plate that's–
trying to understand and thenimplement CMMC.
(01:55):
So it's a lot of work to do forone person.
And generally, if it's not theCEO that takes it under their
own wing, they say, here, weneed to be compliant because
we've got this contract and Ineed you to get us compliant.
And so You've got to understandand learn what all the CMMC
(02:16):
stuff is.
You've got to know all the NIST800-171 controls and all the
assessment objectives, how theylayer CMMC in on top of that,
and the whole nine yards.
You've got to know all that, andthen you've got to go implement
it and figure out how to fityour environment in.
So it is complicated, and thestakes are kind of high because
if you get it wrong, it couldmean a longer assessment, not
(02:42):
ready for an assessment, Allright.
So next
SPEAKER_02 (02:52):
question for you.
is where should someone start ifthey only have a few hours a
week for this?
SPEAKER_00 (02:57):
First of all, you need to start at reading through
the whole thing andunderstanding it, which is no
small feat, especially if you'restarting from ground zero.
But even if you think you knowthis stuff, going through and
actually understanding, actuallyreading some of the documents
that it's based on, You know,that's a lot to take in.
(03:19):
So you've got to understand itfirst.
Then you start with a gapsassessment.
You know, where are you at rightnow and where do you need to be?
Then you figure out where allyour CUI is.
Where is it in your system?
Could be where you want to– makeit be if you want to make an
enclave or something like that.
But you've got to figure outwhat CUI you have and where it
is right now.
Then you've got to figure outwhere it comes from and where it
(03:40):
goes.
That's a CUI data flow diagram.
So we download it out of thisportal.
We get it through email.
I hope not.
But anyway, we get it throughemail over here or whatever it
may be.
This is how it comes into us.
These are the systems of oursthat it goes into and it flows
through.
And then if we send it out, itgoes out this way.
(04:01):
So you need to have your CUIdata flow diagram understood.
You need to understand the wayit is and then it's very likely
it probably needs to change alittle bit or a lot.
So you can absolutely changethat, but you need to understand
that.
And then from there, it'sstarting with the controls and
(04:22):
doing the most obvious easystuff first, locking down user
accounts, locking down ACLs foraccess to information, making
sure that not everybody operatesas an admin, stuff like that.
Easy stuff that you can do andtackle.
Um, and you can do this in shortsprints and, uh, you know, as
(04:44):
long as you plan, you know, acouple hours a week, uh, now
it'll take a long time at acouple hours a week, but if you,
as long as you plan a couplehours a week or more, but set
aside time when you're notwearing one of your other hats
to wear this hat, you know, youcan, you can make progress on
that.
by doing these short sprints ofa couple hours or so each.
SPEAKER_02 (05:07):
Yeah, you said something a minute ago about
actually starting with reading.
Yes.
Did you say the 800-171, theNIST 800-171?
SPEAKER_00 (05:17):
Yes.
Revision two, not three.
Right.
It's not the current one.
Yes,
SPEAKER_02 (05:23):
for now.
For now, yeah.
So I went on a meeting the otherday with a prospective customer,
and it was– it's always– qualitymanager and typically the GM or
owner, especially at theseaerospace machine shops and
whatnot.
Anyway, and the reason I'mbringing it up is because it was
(05:46):
the first quality manager I'dmet that was rather learned, if
you will, up to speed oncompliance.
And he had mentioned that he hadspent probably the better part
of the past five years gettinglearned up on it.
Um, and, uh, anyway, so I'llbring that up to, to say that it
(06:07):
can be done.
Um, but, uh, if, if this is atask that's in your lap, I
wouldn't wait to start reading,um, that, um, enthralling
document that is, uh, uh, NIST800-171 revision two.
Um, cause it can be done.
You can get educated on it.
You can do it yourself, but, um,it does take some time.
(06:29):
Maybe not It doesn't have totake five years, but it takes
some time to digest it and thenstart applying it.
SPEAKER_00 (06:35):
It does take some time to digest it.
And there will be, if you're anIT guy or a quality manager and
you haven't been doingcompliance all these years,
right, then it's going to besomething that you have to
figure out and understand.
Surprise, surprise, noteverything is just laid out 100%
clearly.
(06:55):
in terms that everybodyunderstands.
You have to read through it.
You have to read some of thedocuments it's based on and all
that kind of fun stuff.
So it's helpful to get otherpeople's input, but you've got
to be careful.
Looking on Reddit, youdefinitely have to be careful
asking AI because AI will lie toyou.
SPEAKER_02 (07:14):
It'll be
SPEAKER_00 (07:15):
very confident about it too.
It'll be very confident andit'll seem very convincing but
AI will lie to you.
AI is good to use.
I'm not saying it's not.
AI is very useful but you haveto check it.
It's only as smart as everybodythat has posted knowledge about
it.
It can grab bad knowledge.
But be very careful about AI,about all these different social
(07:40):
media sites that you can go toand where there's CMMC groups.
They're a great way to get someinformation and kind of muddle
through some stuff.
But really, if you can ask somesee-through PAOs or some
assessors, some certified CMMCassessors or certified CMMC
professionals questions, that'swhere you can really start
(08:04):
trusting your answer.
So it takes a lot of reading, alot of discovery, and a lot of
figuring these things out.
And don't just take somebodyelse's word for it is what I'm
saying, especially AI.
SPEAKER_02 (08:15):
Yeah, basically what you're saying is there's no
substitute for just at the endof the day– looking at the
documents and then the documentsthat it is referring to, you
know, for definitions or whatelse to get your answer.
Um, you know, it's, uh, there'sno replacement for that.
You have to do that at the endof the day where they're talking
to an assessor or something, youknow, someone like us or Reddit
(08:37):
or something like that, youknow, and, and so a quick little
hack, um, that helps AI bebetter, but certainly not, um,
you know, uh, some, someone,something that trusts a hundred
percent, um, is if you uploadthe document and into the AI and
make it its reference manual.
So that way it's not pullingfrom a large model that it's
(09:00):
cobbled together.
Like you just, you give itessentially the model, the
document, and then you ask itquestions about the document.
You'll get more reliableanswers, but still that's not a
substitute for, you know,figuring out yourself or hiring
a professional to give youguidance because it'll still
make stuff up.
But it's a good way to kind ofcut your teeth and then use that
(09:24):
understanding to then dive inand then reference the document
yourself to verify, okay, whatis this actually saying?
So a good hack, but not asolution.
SPEAKER_00 (09:34):
Absolutely.
Absolutely.
And don't forget that this isnot just NIST 800-171R2.
Yeah.
It's also all the stuff forother, the DFARs rules the CMMC
stuff that they've layered ontop of it things that they've
clarified in those rules allthat kind of fun stuff so you
have to read those you have tounderstand those as well see how
ESPs are addressed for instanceyou know stuff like that
SPEAKER_02 (09:56):
absolutely there's a whole host of information
outside of just the 171 thatWe'll get you tripped up if you
don't look at it as well.
SPEAKER_00 (10:06):
Yeah, I'm an IT guy.
I say, give me the controls, letme look at them, and I can
implement them.
Give me this 800-171-R2, and Ican do it.
But then, oh, well, you've gotto reference this, or you've got
to reference that.
Oh, there's CMMC stuff overhere, too.
So it gets very complicated veryquickly.
So, you know, we were talkingabout this and how complicated
(10:27):
it is, and it is.
But the question was, you know,where does somebody start?
Mm-hmm.
That's really with...
knowing what CUI you have,knowing where it is and where it
comes from, doing a gapsassessment, and this can all be
part of the gaps assessment, butdoing a gaps assessment, drawing
(10:50):
out a network diagram, a CUIdata flow diagram, and
understanding your systems,where your CUI lives, and keep
in mind FCI as well.
And then after that, the nextpoint after that is
implementation, and you just getthe low hanging fruit so you can
feel some good winds you knowyou know Remove everybody from
(11:14):
the admins group, the localadmin or domain admins group, if
you have them there.
Lock down your ACLs on yourserver, for instance, and stuff
like that.
But do the low-hanging fruit onthe implementation.
So that's really it, is how youget started.
SPEAKER_02 (11:29):
Let's say that you've ran a GAP assessment.
Now you know where your COIlives.
You've got kind of a networkdiagram to define the scope and
the boundaries.
And you've done thoselow-hanging fruit items.
What would you do next?
SPEAKER_00 (11:42):
You know, one of the easy things to do is wherever
you touch CUI, you have to havemulti-factor authentication.
So the short answer is implementMFA for wherever you touch CUI.
So wherever you touch CUI, thathas to be implemented, whether
it's a privileged account orremote access or network access.
(12:06):
So Really, if it's notprivileged access and it's not
network and you only access CUIonly on one machine and it's
kept on that hard drive, I guesstechnically you don't
necessarily have to have MFA.
But that's almost never going tobe the case.
So wherever you touch CUI,implement MFA.
That's really a good one tostart on.
(12:27):
You can knock that out.
Make sure, you know, it's goodto have MFA anyway.
And, you know, we just had thistalk at one of our tech meetings
the other day is that, you know,having the token, the MFA
tokens, you know, on your phone,you know, that's great.
That's great.
less fishable, I guess, than anSMS password or an email code or
(12:56):
something like that.
But even that's getting more andmore fishable with token theft
and all that kind of fun stuff.
And I know I'm kind of goingdown a rabbit hole here, but if
you look at doing something likeUB Keys or pass keys or
something like that.
Windows Hello for Business hasto be implemented properly for
(13:17):
any...
But anyway, that one you have tomake sure you implement properly
for CMMC.
Those are stronger MFA methodsand less fishable, I should say.
And there's even attacks onthose to downgrade and all sorts
of other stuff.
If you go ahead and implementone of those less fishable MFA
methods, it is a little moreintensive, I guess, if you've
(13:42):
not done it before.
But I would go ahead and startthere so you don't have to go
back and change things later on.
But as far as CMMC goes, MFA.
however you get it implemented,and do MFA.
So that would be a really bigone, reasonably easy to get
started on after you get thelow-hanging fruit, I should say.
(14:04):
Another one is FIPS-validatedcryptography for CUI.
FIPS-validated cryptography forCUI is required for any CUI
that's at rest, in transit, orprocessed.
So Processed, stored, ortransmitted CUI.
(14:26):
We shorten that to PST, right?
Anyway, so any of the PSTmethods for CUI, then you have
to have FIPS cryptography.
So in other words, if you have aWindows server, you have CUI on
it, you have to turn on FIPSmode and...
(14:51):
Red alert here, you know, onlyserver 2019 and 2016 have a
FIPS-validated cryptographyready to go.
None of the other newer modelsdo.
They're in the process, butthey're not ready.
Windows 10 and 11, there are nocurrently supported versions
(15:13):
that have a full FIPS-validatedcryptography stack that you can
use to implement for Windows 10or 11, so...
Good luck.
They do make some exceptions forthat.
But implement FIPS-validatedcryptography everywhere you can.
(15:33):
Servers, your firewall, if youVPN in.
Now, the CUI needs to beprotected once with
FIPS-validated cryptography.
So if it's already encrypted...
you don't have to worry aboutencrypting it again.
Or you don't have to worry aboutFIPS validated encryption again.
(15:56):
So if you VPN in, but you'reonly communicating over SMB, for
instance, then as long as it'sturned on, you're good.
But if you're doing anythingthat might be less than FIPS
validated cryptography throughthat VPN tunnel, turn on FIPS
mode for that firewall.
Or at least for the VPN, butmost firewalls you'd Well, I
(16:21):
don't know about that.
But a lot of firewalls, you turnon FIPS mode, and you either
turn it on, and it turns off allthe stuff that's not FIPS, or
you have to go meet all therequirements, and then you can
turn it on.
I know SonicWall just changedfrom one method to the other.
But you have to turn that on.
(16:41):
And really, to tell you thetruth, it's just safer just to
go ahead and turn on FIPS modeon the firewall.
It's easy.
There's not that much impact.
There is some, but it's all goodstuff.
So turn on that FIPS mode forthe firewall is a good thing
too.
Any cloud services for COIshould be FedRAMP authorized or
(17:06):
equivalent.
And if they are, then they'llhave FIPS mode.
But if they're equivalent, youneed to make sure that you've
looked at all the documentationand it actually is.
in FIPS mode, that they useFIPS-validated cryptography.
So FIPS cryptography is anotherthing.
Set up your audit logs formonitoring.
(17:26):
You define the monitoring.
You define the categories, butyou need to be able to research
and find issues.
So...
But your audit logs for whereveryou touch CUI and wherever it
travels.
It's going to be your firewalls.
It's going to be possibly yourAPs and network equipment,
(17:47):
possibly your servers, stufflike that.
So turn on all those audit logs.
The next thing is all those logshave to be reviewed.
So you can go review those logs.
And that's– Fine-ish, but reallyto do it properly, you should
have at least a SIM, if not aSOC helping you, but at least a
(18:10):
SIM gathering all those in oneplace because those logs have to
be protected.
SPEAKER_02 (18:16):
Not required, but if you're a small team, it's a heck
of a lot easier to go buy aproduct that does a lot of the
SPEAKER_00 (18:23):
things for you.
It doesn't tell you you have tohave a SIM, but the things it
tells you you have to do withthe logs– A SEM does all that
and makes it easy for you.
The next thing is your incidentresponse plan.
And you have to build out a goodincident response plan.
I saw this question come up justthe other day.
(18:44):
How many of you IT guys haveincident response plans?
What do we know to do in thiscase or that case?
That's not an incident responseplan.
Not everybody will do the samething.
But You have to have thatresponse plan.
It has to be built out.
The first time you build thatout, it's going to be a booger.
It's going to be tough to gothrough and build out that
(19:06):
thing.
But you're supposed to also testit.
So if you test it, for instance,annually, you go through and
test it, I guarantee you, you'regoing to find things you have to
change.
But that's the point of testingit, you know, is to find these
problems in it.
And things are going to changefrom time to time, so you're
going to need to update yourincident response plan.
(19:26):
But once you get it built out,adding on to it, updating it,
all that stuff is not nearly ashard as building it out the
first time.
It may be involved, but notnearly as much.
So those are some of thehigh-priority things that make a
big difference.
And I would say those areprobably good things to do next.
SPEAKER_02 (19:44):
How do you handle all the documentation?
Because you can't go too far inthe implementation without
starting on the paperwork.
SPEAKER_00 (19:51):
Well, there's a lot of the controls and assessment
objectives are documentationrelated.
Mm-hmm.
you know, it's less than 50%technical.
Using templates is a good thing.
So if you find some templates,you can use those.
It's always better to...
(20:13):
With scripts, I always tellpeople, you know, I never write
a script myself.
I always find one that doesmostly what I want and then I
bastardize it and make it myown.
Or it's like a recipe.
You know, you take somebodyelse's recipe and you say, I
don't like this and this.
I'm going to change this up.
And so now it's mine.
Right.
And so then you can take creditfor that recipe, too.
(20:34):
So really, documentation ishugely important in this.
For procedures, your supposed tofollow, policies you're supposed
to follow, but also for provingthat you're doing things.
It's good to start off with atemplate if you can get one,
either find one and download it.
The ones that you can downloadfor free or so-so, there are
(20:56):
good ones that you can buy.
But either way you go, you'regoing to have to customize that
template.
that policy, for instance,you're going to have to
customize that quite a bit.
I've been saying this a lot, butlook at the assessment
objectives, fulfill thoseassessment objectives and you
won't have, and that takes careof the control, right?
(21:19):
Um, so once you take care of allthose objectives, uh, makes it
much easier.
Some of them, uh, you know,like, um, 3.1.1, it has six
different things, and they dothis for processes, do this for
people, do this for devices.
Well, if your policy addressespeople, devices, and processes
(21:44):
and says what you have to dowith those, that you have to
have authorized and you have toconfigure them right and
everything.
So if you have– you can– Put allthose together in one policy and
make it sound a lot better thandividing them all up.
This is what we do forprocesses.
This is what we do for people.
(22:04):
So you can combine those or someparts of those.
Point, though, is that you dohave to customize those for how
you do things.
The SSP...
you can use an SSP templatepretty easily and then put in
what you do.
The SSP, your system securityplan, is going to be kind of at
(22:28):
a high level what you do tofulfill those controls and
assessment objectives.
The policies are going to getdown to the nitty gritty.
So the SSP, you can take thattemplate and you can just stick
in high level what you do onthese things, get that taken
care of, and then Then you canrefer to your policies.
(22:52):
Your policies, you write out.
in-depth, this is how we takecare of this.
And you can certainly start witha template.
We start with a template, butthey're heavily modified for
that particular client.
This is how we do it.
In this instance, noteverybody's the same, believe it
or not.
I know there's a lot of vendorsout there who say, buy this
(23:13):
solution here, put it in place,and you have your enclave, and
you're good.
Here's some documentation, andyou're good to go.
That box doesn't perfectly fit alot of people.
So once you break that box alittle bit, guess what?
You've just brought more thingsinto scope.
(23:34):
The
SPEAKER_02 (23:36):
truth really comes out in the wash, and the wash is
the assessment.
Because then the assessor startsasking questions, and you
realize it's a perfect little–silver bullet solution you
bought is suddenly not a silverbullet solution anymore.
SPEAKER_00 (23:50):
Right.
Absolutely.
And you know, uh, most of thedib is, is made up of, uh,
manufacturers.
And so they have machines on thefloor that have computers that
control them and CNC machinesand, and whatnot.
And, uh, you know, so how do youget that CUI from your
environment to that machine?
(24:10):
Uh, It can be a host ofdifferent ways, but you have to
fulfill those controls andassessment objectives and do it
properly.
So my point is that templatesand box solutions are great.
But most likely you're going tohave to customize those.
(24:31):
You will have to customize thepolicies.
And most likely, unless yourbusiness just happens to fit in
a box, then you're going to haveto customize that solution some
too or make that solution fit aportion of your business, for
instance.
Yeah.
I guess I'm saying kind of thesame thing in a different way.
But– Yes, you can absolutelystart with templates, but they
(24:54):
will be heavily modified.
If you don't heavily modifythem, then they're just not
going to fit and not going to bedefined enough for an assessor.
SPEAKER_02 (25:02):
Yeah.
It's real hard to buy complianceoff the shelf.
You can certainly throw a lot ofmoney at the problem and it
makes it a lot easier, but youcan't just buy it off the shelf.
It doesn't work that way.
SPEAKER_00 (25:14):
Right.
And I will say just what I saidjust a minute ago, you can buy
it off the shelf, but you'llhave to customize it.
I don't know about all of them.
Some of the ones I've seen thathave been purchased have been a
pretty good set of policies andplans and procedures, and it's
not just SSPM policies.
(25:34):
You're going to have somepolicies.
You're going to have your SSP,and you're going to have some
policies.
You're going to have some plansand procedures.
You're also going to have lists.
There's a lot.
But the good sets include allthat stuff to where you can
customize it for yourself.
They help you– a list will helpyou.
(25:56):
Oh, I've got to include allthese columns.
That makes sense.
Where otherwise, if you'recreating your own list, you
might accidentally leavesomething out that is key to
understanding.
And this whole thing is alsoabout the assessor understanding
what you're doing and feelingcomfortable with what you're
doing.
Because if it's not clear,they're going to ask a lot of
(26:19):
questions.
They're going to do a lot oftesting.
All that kind of fun stuff.
And Which is fine, but thatleads to a lot more work.
It also leads to discoveringsomething.
Ooh, I left this out.
That's good if they discoverthat, but you should have
already discovered it.
And hopefully you'll discoverthat when you're trying to flesh
(26:40):
out your documentation.
SPEAKER_02 (26:41):
Let's talk about time savers.
What helps most when you're notfull time on this?
SPEAKER_00 (26:46):
So there are some tools or some things that can
help out that are time savers.
So an automated collection,evidence collection tool, you
know, an easy one to think of isyour SIM.
It gathers your logs.
There are also other tools outthere that vendors sell that
will help you gather thatinformation from different
(27:11):
systems.
Then you also have yourcontinuous monitoring that you
have to do.
Continuous monitoring may befrom an RMM or something like
that or monitoring andmanagement tool or something
else or related, and so thatalso gathers evidence
(27:31):
automatically for you.
So those kind of things are atime saver for you where you
don't have to go fill things outmanually, go search for things,
go run reports and export stuff.
If you can have that stuff readyto go, and I guess maybe you
might have to export it fromwhatever tool and put it into a
(27:52):
GRC that you have, for instance,or wherever your documentation
archive is at.
Speaking of that, another thingwould be centralized
documentation.
So it's perfectly fine to have abunch of Word docs and
spreadsheets in one place whereyou keep everything located at
(28:14):
and maybe have version numbersor whatever you want to do on
that.
It's perfectly fine to do that.
But that is a bit of a bear tomanage when you're trying to
manage, you know, 20, 30, 40, 50documents.
And did somebody take one andupdate it and forget to put it
back or whatever?
(28:37):
So if you're the only one doingit and you're managing all that,
then I guess maybe it's not thathard.
But it's still a lot ofdocuments to keep track of.
If you have a GRC tool to storeeverything in, That is your
centralized documentationplatform.
That is most of those GRC tools.
A lot of them that have CMMC inmind, not just a...
(29:03):
an afterthought, but, you know,are built for CMMC.
A lot of those will help youcalculate your SPRS score.
They can output a SSP for you.
You can put your policies rightin there.
They can live as live documentsand change them and
automatically have versionnumbers, histories, and all that
kind of fun stuff.
(29:23):
What's changed?
You can assign responsibilities.
So a centralized documentstorage platform, which is I'll
just say a GRC tool, GovernanceRisk and Compliance tool.
So a GRC tool.
The one that we use, and I talkabout this all the time, but
(29:45):
it's because I really like them,is FutureFeed.
We love FutureFeed for CMMC.
They've done a wonderful jobwith it.
They've built it out very well.
They continue to build it out.
It's a very good platform.
So go talk to Mark Berman, ChaseBerman.
They're good folks over there.
But If you don't use FutureFeed,use some sort of GRC tool.
(30:05):
It really does help a lot.
I know it helps us stay in syncwith our clients.
We're both looking at the samedocumentation and the same spot.
It really helps out a bunch.
UNKNOWN (30:19):
Mm-hmm.
SPEAKER_00 (30:20):
Monthly review meetings help out, especially
when you have a team or clientsor whatever.
Monthly review meetings or moreoften while you're implementing
things.
But these are– scheduledmeetings are very important
while you're ongoing andimplementing this.
(30:41):
But they're also important forsome of your documentation as
well because you have to havecertain– meetings and updates
every so often, and thesemeetings help fulfill that.
But have scheduled meetings tohelp you go through things, make
sure things are updated, makesure you're reviewing risk,
(31:03):
reviewing security, all that funstuff.
Those really help out a lot.
If you have a little bit largerteam, or if you have any team,
but you can assignresponsibilities to HR is in
charge of training, and IT is incharge of implementing technical
(31:24):
controls, and whatevercompliance team or whoever that
may be is in charge of thedocumentation.
But if you can split out thoseroles and assign people– which
you can do with the GRCplatform, by the way, or most of
the good ones you can.
So that's a really good thing todo.
(31:47):
And the other thing is don'tforget that you can outsource
specific pieces or the wholething or anywhere in between.
to help you out and help you getthis done.
SPEAKER_02 (31:58):
All right, let's land the plane here.
If you only have a few hours aweek to work on CMMC, what are
some practical tips that can getyou some steady progress, kind
of wrapping up?
SPEAKER_00 (32:08):
Sure, sure.
And if you only have a very fewhours a week, then God bless
you.
Good luck.
But it can be done.
But it won't be done overnight.
Even if you have all the peoplein the world, it still will not
be done overnight, just so youknow.
If you block...
(32:29):
Block a couple hours a week atthe very least.
Set that, just like we weretalking about earlier, set that
aside.
Make that scheduled time thatyou take all your other hats
off.
You put them off to the side.
You put them out of view.
You don't want your other hatsto be in view.
You take off all your otherhats, and you wear only your
CMMC hat.
(32:49):
And you step through the phasesof stuff that we talked about
earlier, which we'll probablyhit on here in a second.
SPEAKER_02 (32:56):
So work from home or lock the door so
SPEAKER_00 (32:58):
no one comes in your office.
Work from home or lock the door.
Ignore the phone.
Unplug the phone.
I don't know.
But block off at least a couplehours a week, if not more, to
work on just this to get itdone.
So that's one of the firstthings you do.
You need to set time aside to dojust this, to where you focus on
just this.
(33:19):
It's very hard to get this stuffdone if you're doing other
things and you have to get yourmind wrapped back up and, you
know, I've got to go unlock auser account and now I can come
back and where was I with theCMMC stuff?
So it's hard to get pulled awayto do other things.
So set aside some time, justlike you're in a client meeting
(33:39):
or whatever, Whatever it may be,you can't be bothered while you
do this stuff.
It's very important to stayfocused and get this stuff done,
especially if you don't havemuch time available to do it.
Breaking your work into phasesand writing those phases out and
(34:00):
understanding what goes in eachphase and not getting everything
all jumbled together.
So you need to figure out whattype of CUI you have.
You need to figure out where itlives and where it goes.
So process, transmitted, andstored.
(34:21):
So you need to figure out whereit goes.
I would draw that out so youunderstand it.
And you see that visually.
And then do a gaps assessmentand figure out where you're at,
where you need to be.
And then after that, the otherphases are things that we talked
(34:42):
about a while ago, is to do allyour low– the next phase would
be your implementation.
So break your implementationdown into sub-phases as well.
They're going to be knock outall your low-hanging fruit.
Take people out of the adminsgroup, my God, please.
(35:02):
Yeah.
Lock down your ACLs on yourserver.
Make use of groups so that it'seasier to do.
All the low-hanging fruit thatyou can get done that you should
probably be doing anyway, getthose done.
Then go for your big-ticketitems that make a lot of
(35:23):
difference.
Implement MFA, implement FIPS.
stuff like that, make sure thatyou have that going.
And then make sure that you haveyour documentation spelled out.
You can start off with your SSPand say, this is how we do
things at a high level.
And you can go back and changethat anytime you need to.
(35:45):
As you go through some of thisstuff and figure out how you're
going to implement this, you'llhave a POAM, a plan of action
and milestones from yourassessment.
You can break that down into,and this is something I didn't
mention a while ago, but you Youcan take that POAM and say,
here's all these assessmentobjectives, all these controls
that need to be addressed thatare not done.
(36:06):
And that's what your POAM is.
And you can take those, groupthem together, and say, I can do
these 10 items with thisproject.
I can do these 20 items withthis project.
I can do these two things bydoing this small project.
Whatever it is, break it downinto projects.
(36:26):
Then you can also, from there,figure out what projects are
just going to be just your laborand buckling it down and getting
it done in that two hours a weekyou have.
Or how much it's going to cost.
Am I going to need a...
a new server?
Am I going to need a new enclavefor a new server for an enclave?
Maybe, uh, are we going to needto buy this product or that
(36:47):
product?
Are we going to, you know, whatdo we need to do to fulfill
these?
And you can, uh, figure out theeffort involved and the cost
involved with your, with yourpoem and making projects out of
that.
Um, so that's a very importantpart.
And that helps you with yourimplementation, uh, breaking
your implementation down intophases as well.
Uh, so, um, it's a veryimportant that poem, uh, is very
(37:13):
important to use to makeprojects out of.
And I'll go back to GRCplatforms.
The good GRC platforms will helpyou with the POAM.
You'll have your POAM, youritems that you need to address.
Then you can also make projectsout of those within your GRC
software and assign projects Youknow, criticality, effort
(37:35):
involved, cost involved.
You know, you can assign allthat.
You can assign people to dothem, the whole nine yards.
So the GRC platform can helpwith a lot of this stuff.
But that POAM is very importantduring implementation because it
is for implementation.
But you can use that, as I said,to make projects out of it.
For your policies andeverything, you can, like we
(38:00):
said, Use a template approach.
Be very careful with free ones.
Always make sure they're up todate with the latest controls
and assessment objectives.
and CMMC, all the stuff thatCMMC requires.
But you can use templates.
Just make sure they're goodtemplates.
(38:20):
And I will tell you that theones you can go purchase from
some of the good C3PAOs andother vendors, most of those
templates are going to be betterthan the free ones you can find.
But you can find decent freeones, I'm sure.
So we don't use templates.
we use ones that we developedover time and changed a lot over
(38:41):
time.
We started, we started in thisback in 2017.
So I could tell you that ourpolicies that we developed back
in 2017 are not this.
Well, I guess they're the samepolicies that we had back in
2017, but they don't look thesame at all.
So, um, they were more simpleand more, however view back
(39:01):
then.
And now they're a lot moredetailed.
So, um, But that's the pointwith buying good documentation
versus something free you canfind on the Internet.
So template approach is justfine.
Just make sure you customize itfor your use.
Because even if another widgetmanufacturer that makes–
(39:27):
aerospace manufacturer thatmakes the same sort of widgets
you do with the same sort ofmachines– They're going to have
a different workflow, mostlikely, than you do.
Maybe a lot the same, but it'snot going to be exactly the
same.
And so their policies are goingto look a little different than
yours, for instance.
So the point is you have tocustomize those policies.
(39:50):
If you have more than one personworking on it, and hopefully you
do, then you can assignresponsibilities.
Even if you don't have more thanone person working on it and you
have an HR person, for instance,you can say, hey, our training
platform that we have, you makeeverybody take this little
five-minute cybersecuritytraining.
(40:11):
I need to add these things on itto cover CMMC.
And most training platforms willhave that, or you can upload or
create some custom content forthose training platforms to use,
or you can develop your owntraining program too.
That's always okay.
But any of those you can assignto somebody else.
That's always a good thing todo.
(40:33):
Again, tracking your progressvisually, whether– and I'll go
back to– GRC platform.
GRC platform will do this aswell.
But if you have one document, ormaybe even more than one, but if
you have one document where youcan track your progress in a
spreadsheet on all thesedifferent controls, and there
(40:57):
are lots of templates that willhelp you do this for
spreadsheets, but track yourprogress visually.
all-in-one where it's easy tosee, that will help you go
through this and not beoverwhelmed.
There's lots of them that willhelp you track your progress,
but they're complicated to use,and those just help to blow your
(41:17):
mind up.
One of the other things is, evenif you are the only one doing
this and you wear four or fiveother hats and now you're in
charge of compliance, then youknow, a good thing to do is, is
outsource, you know, outsourcekey pieces that you need, you
(41:37):
know, outsource, uh, you know,your SSP, uh, and policy and
documentation creation, uh, youknow, whatever it is, outsource
something to help you out.
And that also helps you notonly, uh, will help you get it
done faster, but it helps youwith good advice.
You know, you get some goodadvice.
Now, um, Preferably, you wantsomebody with at least an RPO,
(42:06):
preferably maybe a CCP or CCA onstaff.
CCAs I know can help out withthis.
I would imagine most of them aregoing to be– there's going to be
a good deal that are tied up inassessments and won't have time
for a small– a small engagement.
So, uh, but, um, folks that havethose, uh, companies that have
(42:28):
those folks on staff and doimplementation, uh, then it's,
that's a good way to get goodadvice is to, uh, engage some of
those, uh, some of thoseimplementers to help you out.
Uh, and then the only otherthing to remember while you're
trying to get this done is thatthis isn't a one and done thing.
And if you look at the, if youlook at NIST 800-171 and CBMC,
(42:51):
it's not, uh, You know, theydon't say implement this and
then you're good.
They say implement this andmanage it.
So it's ongoing management.
It's ongoing monitoring.
Be updating your documentation.
I can tell you your incidentresponse plan is going to be one
of those things that every timeyou test that incident response
(43:13):
plan, you're going to go, eh, wedidn't think about this.
You should not test the exactsame scenario every single time
because Or maybe you did sopoorly on the first one that you
do want to test it again.
But you should test differentscenarios.
And you should find things inyour IRP that...
that you need to address.
(43:34):
In that policy or the plan orprocedures that you need to
address, you need to shore upand make better.
So it is an ongoing thing.
Don't forget that.
So once you get it done, you'rein management, monitoring, and
maintenance mode.
SPEAKER_02 (43:49):
And if this all seems too complicated or you
don't want to do it yourself, weare offering a free roadmap to
an SPRS 110 score.
So SPRS is your self-assessmentof basically the 110 controls,
right?
And so what this session is, isjust kind of sitting down with
us for 90 minutes, myself andBrooke, and then we'll just kind
(44:12):
of walk through where you're atfor compliance right now, where
you need to be, what the gapsare, more or less, and then kind
of jotting out a personalizedroadmap for you to see how you
could get to 110, and that's allfree.
So that hour and a half session,is what we offer just kind of as
(44:33):
a get-to-know-us offer there.
So you'll understand where youcurrently stand, what gaps you
have that could cost thecontracts, and then get that
personalized roadmap.
Absolutely.
That should be in thedescription down below if you
want to take advantage of that.
If not...
Keep coming back and we'll keepgiving away the secrets for free
(44:54):
here on the show.
Thank you everyone for joiningus today.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions.
Also, you can comment questionsas well.
We'll answer them for free hereon the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
(45:16):
Stay tuned for our next episode.
Until then, stay compliant andstay secure.
And make sure to subscribe.
Popular Podcasts
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!